Management Groups
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering Azure Management Groups: A Comprehensive Guide to Enterprise Governance
Introduction: Why Management Groups Matter
In the rapidly evolving world of cloud computing, managing a single resource or a small project is relatively straightforward. However, as organizations grow, they often find themselves managing hundreds or thousands of individual Azure subscriptions. Without a structured way to organize these subscriptions, administrative tasks become chaotic, security policies become inconsistent, and cost management becomes nearly impossible. This is where Azure Management Groups come into play.
Management Groups are the top-level container in the Azure resource hierarchy. They provide a level of scope above subscriptions, allowing you to apply governance, compliance, and access control policies across multiple subscriptions simultaneously. If you think of an Azure subscription as a bucket for your resources, a Management Group is the shelf that holds those buckets. By organizing your subscriptions into a logical hierarchy, you ensure that your enterprise environment is manageable, secure, and aligned with your business structure.
Understanding Management Groups is fundamental to mastering Azure architecture. Whether you are a cloud architect, a security engineer, or a system administrator, knowing how to design and implement a Management Group hierarchy is the key to maintaining control over your cloud footprint. In this lesson, we will explore the architecture, configuration, and best practices of Management Groups, providing you with the knowledge to build a foundation for long-term cloud success.
Understanding the Azure Resource Hierarchy
To understand Management Groups, we must first look at the broader Azure resource hierarchy. Azure uses a four-level structure to organize resources. This structure is designed to provide granular control while maintaining centralized oversight.
- Management Groups: These are the containers that hold multiple subscriptions. They allow you to govern access, policy, and compliance for all subscriptions within them.
- Subscriptions: These are the primary units of billing and management. Every resource in Azure belongs to exactly one subscription.
- Resource Groups: These are logical containers that hold related resources for an Azure solution. A resource group can contain resources like virtual machines, databases, and storage accounts.
- Resources: These are the individual instances of services, such as a specific SQL database, a virtual machine, or a virtual network.
Callout: The Power of Inheritance One of the most important concepts in Azure architecture is inheritance. When you apply a policy (such as a requirement for specific tags) or an access control role (such as Read-Only access) at a Management Group level, that configuration automatically flows down to every subscription, resource group, and resource contained within that hierarchy. This eliminates the need to configure settings individually for thousands of resources.
By nesting Management Groups, you create a tree structure that reflects your organization's business units, geographic regions, or development lifecycles. This hierarchical approach is what allows large enterprises to maintain consistency across global teams.
Core Features and Capabilities
Management Groups are not just organizational folders; they are powerful governance tools. When you group subscriptions, you unlock several critical capabilities that are essential for enterprise-grade cloud management.
Centralized Policy Management
Azure Policy allows you to enforce rules on your resources. By applying policies at the Management Group level, you ensure that every subscription follows the same standards. For example, you can create a policy that prevents the creation of resources in regions that do not comply with data residency requirements. Because this is applied at the Management Group level, you do not need to worry about individual teams forgetting to comply; the platform enforces it automatically.
Unified Access Control
Azure Role-Based Access Control (RBAC) allows you to define who can perform which actions on your resources. By assigning roles at the Management Group level, you can grant permissions that apply to all subscriptions within that group. This is particularly useful for security auditors who need visibility across the entire organization, or for platform teams who need to manage infrastructure configurations across various departments.
Cost Management and Budgeting
Management Groups provide a bird’s-eye view of your cloud spending. You can view aggregated costs across all subscriptions under a specific Management Group. This makes it easier to track how much a specific business unit or project is spending without having to manually sum up data from individual subscription billing reports.
Hierarchy Flexibility
You can nest Management Groups up to six levels deep. This allows you to mirror complex organizational structures. For instance, you might have a root Management Group, followed by a level for "Geographic Regions," then a level for "Business Units," and finally a level for "Environment Types" (Production vs. Non-Production).
Designing Your Management Group Hierarchy
The way you structure your Management Groups will have a long-term impact on your ability to manage Azure. There is no "one-size-fits-all" approach, but there are industry-standard patterns that work well for most organizations.
The "Functional" Pattern
This approach organizes subscriptions based on the purpose of the business unit.
- Root Management Group
- Shared Services: Centralized networking (Hub-and-Spoke), security logging, and core identity services.
- Business Unit A: All subscriptions related to the sales department.
- Business Unit B: All subscriptions related to the engineering department.
The "Lifecycle" Pattern
This approach prioritizes the environment type, which is often used to ensure that production environments have stricter security controls than development environments.
- Root Management Group
- Production: Strict policies, limited access, high-availability requirements.
- Non-Production: More flexible policies, broader developer access, cost-optimization focus.
- Sandbox: Highly restricted environments for testing, where resources are automatically cleaned up.
Note: Always start with a "Root" Management Group. When you enable Management Groups in your tenant, a default root group is created. All subscriptions will fall under this group until you move them. Do not ignore the root group; use it for global policies that must apply to every single subscription in the organization.
Step-by-Step: Implementing Management Groups
Implementing Management Groups requires proper planning. Follow these steps to set up your initial hierarchy.
Step 1: Elevate Access (For Global Administrators)
By default, a Global Administrator in Azure Active Directory (now Microsoft Entra ID) does not have access to manage Management Groups. You must elevate your access to the root level.
- Sign in to the Azure Portal.
- Search for "Management Groups."
- Select "Management Groups" from the services list.
- If you are an administrator, you may see a banner asking to elevate access. Click "Elevate access" to grant yourself the "User Access Administrator" role at the root scope.
Step 2: Creating a New Management Group
Once you have access, you can begin building your tree.
- Click on the "+ Create" button in the Management Groups blade.
- Provide a unique "Management Group ID." This is a permanent identifier, so choose something descriptive (e.g.,
prod-mgmt-group). - Provide a "Display name," which is what users will see in the portal (e.g., "Production Environment Group").
- Choose the parent group. If this is your first level, select the "Root" group.
- Click "Submit."
Step 3: Moving Subscriptions
Now that your containers are ready, you need to move your existing subscriptions into them.
- In the Management Groups blade, find the subscription you wish to move.
- Click on the three dots (ellipsis) next to the subscription name.
- Select "Move."
- Select the destination Management Group from the dropdown menu.
- Confirm the move.
Warning: Moving a subscription can change the effective policies and permissions inherited by that subscription. Always perform a "What-If" analysis or check the inherited policies before moving a production subscription to ensure you do not inadvertently break existing workflows or security configurations.
Practical Examples: Policy Enforcement with Code
One of the primary reasons to use Management Groups is to enforce policy. Here is how you can use Azure CLI to assign a policy to a Management Group. In this example, we will enforce a policy that requires all resources to have a "CostCenter" tag.
First, identify the Management Group ID:
# List all management groups to find the ID
az account management-group list --output table
Next, define the policy assignment:
# Assign a policy that requires a 'CostCenter' tag
az policy assignment create \
--name "Require-CostCenter-Tag" \
--scope "/providers/Microsoft.Management/managementGroups/my-dept-mgmt-group" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62" \
--params '{"tagName": {"value": "CostCenter"}}'
Explanation of the Code:
--scope: This is the most critical parameter. By specifying the path to your Management Group, you ensure the policy applies to everything underneath it.--policy: This points to the built-in Azure Policy definition ID. In this case, the ID corresponds to the "Require a tag on resources" policy.--params: This allows you to pass specific values to the policy, such as the name of the tag you want to enforce.
By running this at the Management Group level, you have effectively enforced a cost-tracking standard across every subscription in that department without touching individual resources.
Best Practices for Management Group Governance
Governance is not a "set it and forget it" task. To maintain a healthy Azure environment, follow these industry-standard practices:
1. Maintain a Shallow Hierarchy
While you can go six levels deep, it is rarely necessary. A hierarchy that is too deep becomes difficult to visualize and troubleshoot. Aim for 2-3 levels deep unless your organization is extremely complex.
2. Use "Policy-as-Code"
Do not rely on the Azure Portal for creating and managing policies. Use Infrastructure-as-Code (IaC) tools like Terraform or Bicep. This ensures that your governance rules are version-controlled, peer-reviewed, and repeatable.
3. Separate Security and Operations
Use different Management Groups for security-sensitive workloads and general operational workloads. You might have a "Security-Audit" group where your security team has high-level read access, keeping those permissions separate from the "Development" group where developers have write access.
4. Regularly Audit Permissions
Inheritance is powerful, but it can lead to "permission bloat." Periodically review who has access to your Management Groups. Use Azure Privileged Identity Management (PIM) to ensure that elevated roles are only active when necessary.
5. Standardize Naming Conventions
Just as you name your resources, you should name your Management Groups according to a strict standard. For example, use prefixes like mg-prod-, mg-dev-, or mg-shared- to make it immediately obvious what a group contains.
Common Pitfalls and How to Avoid Them
Even experienced architects can run into trouble with Management Groups. Being aware of these traps can save you significant downtime.
Pitfall 1: Breaking Inheritance
Sometimes developers might try to override a policy at a lower level (like a Resource Group). While this is technically possible, it creates "policy drift."
- Solution: Use "Deny" assignments or "Policy Exemptions" sparingly. If a policy is consistently being overridden, it is a sign that the policy is too rigid and needs to be adjusted at the Management Group level, not bypassed at the resource level.
Pitfall 2: The "Root" Group Overload
Some organizations try to put all their policies directly into the Root Management Group. While this ensures global compliance, it can make it difficult for specific departments to innovate.
- Solution: Use the Root group only for policies that are truly mandatory for everyone (e.g., security logging, data residency). Use lower-level groups for department-specific configurations.
Pitfall 3: Ignoring Subscription Transfers
If you acquire another company or move subscriptions between tenants, those subscriptions might come with their own pre-existing policies.
- Solution: Always perform a policy audit after moving a subscription. Check for conflicting policies that might have been inherited from the previous owner or the new parent Management Group.
Comparison: Management Groups vs. Resource Groups
A common source of confusion for beginners is the difference between Management Groups and Resource Groups. The following table highlights the key distinctions:
| Feature | Management Group | Resource Group |
|---|---|---|
| Primary Purpose | Governance, Policy, RBAC | Organization of resources |
| Scope | Covers multiple subscriptions | Covers a single subscription |
| Hierarchy | Can be nested (up to 6 levels) | Flat (cannot contain other RGs) |
| Inheritance | Policies/RBAC flow down to subscriptions | Policies/RBAC apply to contained resources |
| Visibility | Enterprise-wide | Project or team-specific |
Callout: The Scope Hierarchy Remember the "Scope" concept in Azure: Management Group > Subscription > Resource Group > Resource. Any action you take at a higher scope automatically affects all lower scopes. If you want a rule to apply to the entire company, apply it to the Management Group. If you want a rule to apply only to a specific app's database, apply it to the Resource Group.
Advanced Management Group Strategies
For large-scale enterprises, Management Groups are the backbone of the "Landing Zone" concept. A Landing Zone is a pre-configured environment that follows best practices for networking, identity, and security.
The "Landing Zone" Architecture
In a Landing Zone setup, you create a dedicated Management Group for your "Platform" subscriptions (Networking, Identity, Management) and another for your "Application" subscriptions. By doing this, you ensure that your core infrastructure is shielded from the changes occurring in your application environments.
Automated Governance
You can automate the creation of Management Groups using Azure Blueprints or Terraform modules. When a new business unit is formed, you can trigger a script that:
- Creates a new Management Group.
- Assigns a standard set of RBAC roles to the BU leads.
- Applies a standard set of policies (e.g., "All resources must have an owner tag").
- Deploys a base network infrastructure.
This approach ensures that every new team starts with a "secure-by-default" environment.
Frequently Asked Questions (FAQ)
Q: Can a subscription be in more than one Management Group? A: No. A subscription can only belong to one Management Group at a time. This ensures that the policy inheritance path is always clear and unambiguous.
Q: What happens if I delete a Management Group? A: You cannot delete a Management Group if it still contains subscriptions or child Management Groups. You must move all contained items to another group (or the root) before the delete operation will succeed.
Q: Do Management Groups cost money? A: No, Management Groups are a free organizational feature of Azure. There is no additional cost for creating or using them.
Q: Can I use Azure Policy to restrict which regions resources can be created in? A: Yes. This is one of the most common use cases for Management Group policies. By applying a "Allowed Locations" policy, you can prevent teams from accidentally deploying resources in regions that violate your data sovereignty requirements.
Q: How do I see who has access to a Management Group? A: You can view access by going to the "Access Control (IAM)" blade within the Management Group itself. This will show you all role assignments inherited or directly applied at that level.
Key Takeaways
As we conclude this lesson, keep these essential points in mind regarding Azure Management Groups:
- Hierarchy is Governance: Management Groups provide the structure necessary for enforcing security, compliance, and cost-tracking at scale. Without them, you lose control over your Azure footprint.
- Inheritance is Your Best Friend: By applying settings at the Management Group level, you leverage the power of inheritance, ensuring consistency across all subordinate subscriptions and resources.
- Design for Your Organization: Align your hierarchy with your business structure, whether that is functional, geographic, or lifecycle-based. A well-thought-out hierarchy reduces administrative overhead.
- Policy-as-Code is Essential: Avoid manual configuration in the portal. Use tools like Terraform or Bicep to define your Management Group structure and policies, ensuring that your environment remains reproducible and auditable.
- Governance is Iterative: Start simple. As your organization grows, refine your hierarchy and policies. Regularly audit your structure to ensure it still meets the needs of your business.
- Understand the Scope: Always be mindful of the scope of your changes. A simple policy change at the root level can have massive implications for every resource in the tenant.
- Security First: Use Management Groups to enforce the "Principle of Least Privilege." By centralizing access control, you make it easier to audit and restrict user permissions across the entire organization.
By mastering Management Groups, you are not just learning a technical feature; you are learning how to build a robust, secure, and manageable cloud foundation. As you continue your journey in Azure architecture, use these concepts to guide your design decisions and ensure that your cloud environment scales effectively with your organization's needs.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons